PCarroll

Pat Carroll - ValidSoft

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

iHack Hastens Call for Multi-factor Authentication

05 September 2014 | 3397 views | 1

“If only I would have known” is a phase that Jennifer Lawrence, Kate Upton and possibly as many as 100 celebrities and notable personalities are likely saying after a
reported massive breach of Apple’s iCloud service resulted in the unauthorized access to, and release of, personal information and photos. While the FBI, dozens of security vendors and
Apple itself are investigating how this massive breach was executed, what should be clear to everyone is that data security policies need to be re-evaluated and updated to reflect the new realities of our mobile world, with one goal: To protect everyone’s
privacy.

Whilst there are many conflicting views about the nature of the attack, the
latest reports suggest that the “iCloud hack” exploited a vulnerability in Apple iCloud’s “Find My iPhone” service which was susceptible to “brute force” programs that repeatedly guess random passwords for a given username until it gets a match. Other reports
suggest that the security questions posed when a user password is forgotten, provided an easier spearphish opportunity for the hackers. Whatever the cause, damage has been done. In the consumer mindset, the view will prevail that if Apple could fail to prevent
such a simple security bug, what confidence can there be that iCloud is secure and safe? What does this tell us about enterprise security in general? If Apple, a company who has made strong statements about their commitment to consumer security and data protection,
is vulnerable to basic security flaws, then what assurance can we have about the safety of our banking, stock and retirement accounts, or even our personal medical records? Unfortunately, because of the many inter-department silos present in today’s enterprise
environments that prevents a systematic and holistic approach to data security, we may never know until it is too late and we read about it in the news.

Data breaches like iCloud, or Target or the suspected breach at
Home Depot, or the countless ones before and certainly the untold many that have yet to come, are repeated reminders that traditional “security”, passwords and PINs aren’t enough, cybercriminals will always find a way to beat the system (both from the outside,
or even worse, from the
inside). Instead of simply trying to keep the bad guys out (which clearly is not working within current deployments), we need to adopt multiple layers of security and multiple factors of authentication which will help ensure that the user accessing the
information is who they purport to be. Strong security must prevail, and the same strength of security must be applied to all aspects of the customer experience: enrolment/registration, usage, and especially transaction and exception processing.

I know many readers will respond to this by saying that multilayer/multifactor authentication will only add complexity to the process, complexity that will draw the ire of end users and customers. For those of us in the transaction security business however,
we already know that multilayer, multifactor authentication must be low friction or even frictionless and invisible in some layers. Ipso facto, the real benefit of a multi-layer/factor approach is that it’s virtually impossible for the fraudster to figure
out what “invisible” layers are being applied and, if you don’t know what security is being applied, it’s extremely difficult if not impossible to break the model. Even if the fraudster does manage to compromise one layer, it’s not a case of break one layer
and the fraudster is in.

Today, we are beginning to see banks, financial institutions and solution providers, like FICO, embracing strong authentication technologies such as: voice biometrics, location correlation, trusted channel Out of Band (OOB) communications and trusted device
(such as a mobile phone), and most importantly transaction verification. The objective is to ensure their customers valuable data and money is protected. It may seem cynical, but in an increasingly mobile and interconnected digital world, we may never truly
eliminate identity theft and data breaches, but we can achieve significant progress through the adoption of strong authentication, whereby we can ensure that should your personal data be stolen, it can be rendered unusable because of additional security and
transaction verification steps.

If Apple had adopted a more robust multilayered, multifactor authentication technology as the de-facto user experience, for example, using its own iPhone as the trusted device/OOB channel, incorporating its finger print biometric reader and geo-location
correlation, hackers would have had significant difficulties in accessing Jennifer Lawrence’s iCloud account. In fact, as soon as an exception occurred, she could have been notified that irregular and unusual account access attempts had been made. With multifactor
authentication, not only would we have better “security” and a better user experience, but we also build trust and gain the peace of mind that when our information is accessed, especially when it is accessed from an unknown device or location, we aren’t kept
in the dark until it’s too late!

There are those who will try to play down the risk of attacks like this, arguing that these celebrities were specifically targeted because they are constantly in the public eye. While this may or may not be true, they now have something in common with an
unfortunately large and growing population…they too have become a cybercrime statistic.

Companies like Apple need to seriously consider multi-factor authentication using multi-modal biometrics. What better way to complement their current iPhone finger print reader than by adding Voice Biometrics? No more PINs or passwords to remember, no more
security questions to guess. Voice Biometrics is now of age for mass market deployment and is an extremely strong but very low friction security model that can complement other clever and often invisible security layers. Such a security architecture is intuitive
and user friendly, yet can provide assurance to non-repudiation level if called upon. Apple already has the majority of the required technology and infrastructure in place, they just need to take that final step. Perhaps the current breach is the catalyst
they need to make such a move.

Comments: (1)

As the latest case of UBER in India illustrates (http://auto.economictimes.indiatimes.com/news/aftermarket/uber-in-talks-to-integrate-digital-wallet-in-india/41994881), it’s still difficult to implement a technology that strikes the right tradeoff between
CX (as a company known for CX wants it) and security (as the regulator mandates it). Maybe such a technology exists but, for the specific case of iCloud Photo Scandal, can't such a hack be prevented by inserting a CAPTCHA in the “Find My iPhone” service so
that (1) Fraudsters won't be able to run “brute force” programs to guess Jennifer Lawrence's iCloud account password (2) If she herself forgets her password, she'd be able to retrieve it with only the friction of cracking the CAPTCHA code? Seems like a simple
solution.

Pat's profile

Throughout his career, Pat has been at the forefront of industry thinking, representing organisations on industry bodies and leading participation in industry initiatives. At ValidSoft, he leads the R...